SPECTRA FIELD MANUAL
EN/IT
FLAGSHIP WORKFLOW · spectra-war-room

The War Room

When Viper (Red) and Commander (Blue) look at the same target, they see different things. Put them in a room together and they clash — producing insights neither would reach alone. An impartial Referee scores the exchange on evidence, not opinion.

/spectra-war-room Skill reference →
REDViperattack paths
BLUECommanderdetection & controls
REFEREEAdjudicationscored on evidence
OUTPUTScorecarddetection-gap backlog
HOW IT WORKS

Three moves

01

Assemble

Load the relevant Red and Blue agents and pick a mode. The facilitator sets the target, the question, and the engagement scope.

02

Clash

Red and Blue debate the same target — they disagree by design. Viper argues attack paths; Commander argues detection and controls. Each round sharpens the other.

03

Adjudicate

A neutral Referee scores the exchange on evidence — detection latency, severity coverage, technique misses — and a Scribe writes the debrief. Insights neither side reaches alone.

TWO MODES
INTERACTIVE

War Room

A live, in-IDE debate. Agents disagree by design across rounds; a Party-Mode planner can emit deterministic sub-agent task contracts (lane, inputs, done-criteria, scope gate) — plan-first, it never auto-executes offensive actions.

spectra party plan
DISTRIBUTED

Duel Mode

Red and Blue run on separate machines with role-local evidence ledgers. The Referee correlates Red actions with Blue detections across the timeline and produces a scorecard: detection latency, severity coverage, technique misses — credit only where the ledger proves it.

spectra-duel-adjudication →
A REAL EXCHANGE

What it actually produces

From the shipped demo engagement (run spectra quickstart). Target: a legacy-TLS exposure. The question: real risk, or noise?

🔴 Viper

TLS 1.0 still negotiating means I can force a downgrade. With no HSTS (F-003), there’s no protocol floor — a same-segment attacker strips transport and reads the session. Two lows plus one medium chain into session hijack.

🔵 Commander

Real, but bound it: the downgrade needs an active MITM position — same-segment, not remote-internet. Severity is medium, not high. What worries me: we have no TLS-version telemetry, so a downgrade is unobserved.

⚖️ Referee

Attack path confirmed (handshake capture + version disclosure). Precondition: medium (MITM plausible on shared segments). Detection: gap — no TLS-version telemetry. Verdict: real and currently undetected.

Out of the room
  • Disable TLS 1.0/1.1 → resolves F-001
  • Add HSTS + security headers → resolves F-003
  • NEW detection requirement: alert on any sub-TLS-1.2 handshake — the gap neither side reaches alone
HONEST MEASUREMENT

The expected result is not "invisible Red". It is an honest measurement: which signals were produced, which Blue saw, which were missed, which controls worked, and which need improvement. Detection must be evidenced by Blue telemetry — prior knowledge of the Red plan never counts.